Dominik Schadow bridgingIT

Secrets in the Cloud

JAX 2017

spring: datasource: username: myDatabaseUser password: mySuperSecretDatabasePassword

ID USERNAME PASSWORD SECRET_ID SECRET_DATA

1001 Arthur kvgkIu7ZuPIdK9G7WUA duTvd9TinwRlvA6foux mgxMZwUsPUdW6

42 Secret

1002 Zaphod wC28772M7AYVwLe2BOu dFl8VBo59KS5H1MbY9i riZpQhP6KCd33

42 Secret

1003 Slarti eHkuCs817pYySnk0aKl zDeZDCSiUSedCOABqcE sRVYzS1Uc8RzK

42 Secret

1004 Ford 3kQkFnjyt008yrIjnjf tZewS6j8yKIbywJYzvs 3HOGqtfYcAVV0

42 Secret

DEV PROD

App

Store technical

and personal secrets securely

in the cloud

Technical Credentials

Embedded Configuration

com.github.ulisesbocchio jasypt-spring-boot-starter 1.12

spring: datasource: username: myDatabaseUser password: ENC(vvnkG2pj//Jd1vXe7YtuLvyFCtKBA+CVOYAT9qwfB4yuv4jngb6r/g==)

jasypt.encryptor.password

docker run -e jasypt.encryptor.password=sample-password -p 8080:8080 -t dschadow/sample

System property Command line argument Environment variable

Better than before, but we are not there yet…

External Configuration

App

Config Server

Plain (git, svn)

Jasypt

Encrypted

Vault

Config Server Cryptography

Properties starting with {cipher} will be decrypted before returned to client

# requires key # alternative: environment variable ENCRYPT_KEY encrypt: key: mySuperSecretKey

Symmetric Encryption

# requires keystore or pem file encrypt: keyStore: location: classpath:/server.jks password: letmein alias: mytestkey secret: changeme

Asymmetric Encryption

Endpoints must be secured

spring: datasource: name: config-client-db username: config-client-db-user password: '{cipher} AQAPseaUfV+p34giF9jspUa475vKWV3bLwJh9sL2Gco8xB0e4GG 0z24LRIVXz5SKtESd+t9mFFkfPxJ/SgxPNOgAl+naZSay088bug uJlpnYNHkNDafpoJmLGdeWq7ZTkdIeoCXpZWIioxz5e3GfWudsM jmcJ6smpq6J63OQkmHy6Z00av7kIKscNZksDDTikeKX02mnpGRe lBZfMYqsMF96v7o7tuAT15tTR1v6SHrUpJ83hSy8GgtWRR6egZa Tu8sYzJdkpjOmUMGXNI1flBvFdkWNt78BjzB5Lm4IiXINQFw6SO bcTCsUv3nQbFOELVqg9ajVHrbKi3oaGwcbgpYR3VGgBzAgX/B/T oS/WBRLtRViSXTANE9iCvqArik4Ynfti6KKROBVk9MFe8qMEiV'

decryption failure

Using Multiple Keys

spring: datasource: password: '{cipher}{key:myFirstKey}AQUfV+...'

Select existing key with {key:name} in properties file

Demo

„… centrally store, secure, and tightly control access to secrets across

distributed infrastructure, applications, and humans.“

Internal key encrypts all data with AES

This key never leaves the system

Data is Always Encrypted

High availability

Configured storage backend never sees plain text

File, Amazon DynamoDB, Consul, …

Secret Storage

Store existing secrets

Dynamically create new secrets

Lease time for new secrets, automatic revocation

Access control policies for secrets

Audit Logs

Not active by default

Detailed audit log of all authenticated client interaction

Trace lifetime and origin of any secret

Hashes sensitive information with HMAC-SHA256

Accessible via HTTP API or CLI

Unsealing requires configured number of master keys

vault server -config vault.conf

vault init -key-shares=5 -key-threshold=2

Unseal Key 1: Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Unseal Key 2: T00pjFgitbcy+JKOGI6DFgW/0jBdyrVriLdGu7PENbsC Unseal Key 3: YCOKtRUITlH3h155P5LM+2zLbFgIe4vwrOIhO7OWHqED Unseal Key 4: rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Unseal Key 5: glxtI6D0YjNfnsB97dp1owHoxTPt8A+HdAdoFrNh5P0F Initial Root Token: efe88b79-cf8b-825a-0f6f-ef1ca142782b

export VAULT_ADDR=http://127.0.0.1:8200

Shamir's Secret Sharing

Only visible after initialization

DEMO!

vault unseal Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 87f350d5-2a25-a821-dc7f-2962fc49fe03

vault unseal rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce:

Authenticated Access Required

Token - AppId - AppRole - TLS Certificate - AWS - GitHub - …

static

spring.application.name +

user id (e.g. IP or MAC address)

machine authentication role id + secret id

cryptographically signed metadata of

EC2 instance

SSL/TLS client certificates

GitHub access token

Path Based Secret Storage

vault [ACTION] secret/spring-config

mount point application

Each ‚User‘ is Assigned a Policy

Policies use path based matching to apply rule

Policy may constrain actions and paths

path "secret/*" { policy = "write" }

path "auth/token/lookup-self" { policy = "read" }

CLI export VAULT_TOKEN

= efe88b79-cf8b-825a-0f6f-ef1ca142782b

HTTP API X-Vault-Token

vault write secret/spring-config db.password=config-client-db-password

key/value format (generic backend)

Spring Cloud Vault

/secret/{application}/{profile} /secret/{application} /secret/{defaultContext}/{profile} /secret/{defaultContext}

Secrets are picked up during application startup

Path based on application name and active contexts

Reading and Writing Secrets

Actuator Health Endpoint

Demo

Personal Credentials

API for Secret Management

VaultTemplate to read, write, list and delete secrets

vaultTemplate.read(PATH);

Similar to RestTemplate

Demo

We have created another system to monitor and maintain…

AWS Key Management Service (KMS) Master key to protect all keys

Service for storing encryption keys

Supporting cryptographic operations with these keys

Access control and auditing functionality

Key Encryption Key (a.k.a. master key)

Data Encryption

Key 1

Data Encryption

Key 2

Data Encryption

Key n

generate decrypt

AWS KMS

Storage (encrypted data encryption key)

Microsoft Azure 
 Key Vault

IBM Bluemix 
 Key Protect

Summary Multiple options to protect sensitive data exist

Keep it as simple as possible

Jasypt for simple applications

Config Server cipher for distributed applications

Vault when required

Consider cloud provider services

Demo Project
 https://github.com/dschadow/CloudSecurity AWS KMS 
 https://aws.amazon.com/de/kms Jasypt integration for Spring boot 
 https://github.com/ulisesbocchio/jasypt-spring-boot Spring Cloud 
 http://projects.spring.io/spring-cloud Vault
 https://www.vaultproject.io Pictures 
 http://www.dreamstime.com

Marienstr. 17 
 70178 Stuttgart

dominik.schadow@bridging-it.de 
 www.bridging-it.de

Blog blog.dominikschadow.de 
 Twitter @dschadow

mailto:dominik.schadow@bridging-it.de?subject= http://www.bridging-it.de http://blog.xml-sicherheit.de